Hi Nico,
Thanks for your extensive response!
> GSS-API exchanges always begin with an initial security context token.
> SPNEGO can carry an initial security context token for an
> optimistically selected mechanism.
In my RFC 4599 it says "The initial WWW-Authenticate header will not carry any
g
Thanks Greg and Niko
I am using MIT Kerberos at client side and AD as KDC.
I am using 8 hrs lifetime for TGT.
Now,
When I increase the time at client side, say 2015, I get following error
codes.
gss_inquire_cred
maj_stat = 720896, min_stat = 11
gss_init_sec_context
maj_stat = 851968, min_stat
On 02/06/2014 09:24 AM, Arpit Srivastava wrote:
> When I increase the time at client side, say 2015, I get following error
> codes.
Minor codes can't be deciphered after the fact, because they are just
points in a mapping table; you need to pass them to gss_display_status
to make them meaningful i
On 02/06/2014 08:42 AM, Rick van Rein wrote:
> In my RFC 4599 it says "The initial WWW-Authenticate header will not carry
> any gssapi-data.” and I was wondering if I missed some cryptographic reason
> to delay the challenge until later.
Some terminology clarification is in order:
* SPNEGO (RFC
Hi Greg,
Thanks, the terminology has indeed been confusing to me.
I suppose things are as they are — or, as they have grown.
Thanks,
-Rick
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Rick van Rein writes:
> Thanks, the terminology has indeed been confusing to me. I suppose
> things are as they are — or, as they have grown.
The short but less polite version is that HTTP-Negotiate with SPNEGO is a
horrible hack from a Kerberos perspective. It sort of works as long as
you kno
I brain-o'ed on privacy protection. I understand what you meant now.
See what Greg and Russ have to say. But I'll add a piece here as
well:
- HTTP is not a simple protocol: there are proxies and routers involved.
- HTTP servers often act as routers.
- There can be many hops.
- A notional
